Secure scripts variables
Paul Rubin
http
Thu Mar 31 04:04:52 EST 2005
Florian Lindner <Florian.Lindner at xgm.de> writes:
> AFAIK scripts can't be setuid? Can you tell me what you mean and how to do
> it?
Actually it looks like Linux doesn't support setuid scripts. I
thought the feature had been restored. There is a well-known security
hole but there are workarounds for it and some of the BSD-derived
Unixes implement those. And there is a special hack for Perl that
uses an accessory setuid C program to run setuid Perl scripts--maybe
something like it could be written for Python.
Anyway, the simple workaround is to write a simple C wrapper that
invokes the Python interpreter on your script. Make sure to use a
complete path to specify where your script is. From the "perlsec"
documentation:
#define REAL_PATH "/path/to/script"
main(ac, av)
char **av;
{
execv(REAL_PATH, av);
}
Compile this wrapper into a binary executable and then make it rather
than your script setuid or setgid.
http://supportweb.cs.bham.ac.uk/documentation/perl5/pod/perlsec.html
You have to be very careful writing these scripts since there are all
kinds of errors you can make. Perl's "taint checking" feature helps
catch a lot of those and it would be good if Python had something
similar.
More information about the Python-list
mailing list